Our world is becoming more and more connected. The Internet of Things is rapidly becoming The Internet of Everything. And with this connectivity comes a growing level of vulnerability and risk. Cyber attacks may be initially aimed at specific targets or countries, but isolating its destructive power has proven to be difficult, as the ripple effects of NotPetya showed us in 2017. From a historical point of view, the development of the IoT parallels the rise, and fall, of the (anti-)nuclear movement after WWII.
The horrific nuclear attacks on Hiroshima and Nagasaki in 1945, and the amount of civilian casualties it caused, raised public concerns over the use of nuclear weaponry and the safety of nuclear energy. After WWII, the scientific world became more vocal about the risks and the general public soon followed. The 1970s heralded the rise of green parties and anti-nuclear movements, successfully adding political pressure on governments. Large public demonstrations resulted in policy changes and global shutdowns of nuclear plants. The 1986 Chernobyl distaster and the problems with the Fukushima plant in 2011 have kept unease among the general public high, although interest has been growing in nuclear energy as a relatively eco-friendly energy source over the last over the last decade.
Summarizing, the anti-nuclear debate went through the following phases:
- Technology is developed and adapted
- Major (global) disaster
- Scientists lead the way in voicing concerns
- Public awareness grows
- Public outrage and activism
- Technology gets abandoned or its use is limited (by law)
Comparing this with where we are at with the anti-IoT movement, the current state seems to be somewhere between phase 4 and 5. The technology is here, we’ve seen major incidents like NonPetya, security experts are voicing their concerns, and the general public is becoming more aware and concerned over privacy and security issues.
That said, there is still very little (global) activism and organised protest. There are plenty of digital rights groups trying to create awareness and a political lobby, but on the whole, the number of people involved in these groups is small. So it seems very unlikely that we will be entering phase 5 anything soon.
Why is that?
One possible reason why we see very little public outcry may be that digitalisation and digital connectivity are already so entwined in our society and of an inheritently personal nature that there is no common denominator to protest against. It is a lot easier to unite against a governments’ political agenda, than to unite over an elusive technological progress. Governments seem to realise this and try and stay away from accepting ownership or responsibility (it could be as easy as making standard security frameworks and baselines mandatory by law for any new connected device that enter the local market).
Another factor may be that digitalization adds tremendous value and is seen as a positive user experience in our daily lives. Who can still remember what it was like to be late for a meeting and having no way to contact the other party? When a computer was a stationary device in a dedicated room in the house? When we had to wait for weeks to see pictures of aunt Julie’s new baby or travel for 2,5 hours (if lucky) to go see what the newborn looked like? Are we ready to risk losing some of that convenience, joy and flexibility in favor of protecting ourselves against an unknown, and perhaps unreal threat?
I don’t think so.
So instead of currently being between phase 4 and 5, we might actually really only be in phase 1. And the fact that we see glimpses of phase 3 and 4 might really just be a result of our interconnected worlds. In 1945, you didn’t know a whole lot of what was going on in the rest of the world. Today, that same world is just a click away. Also, randsomware attacks like NonPetya caused major inconveniences, but they were hardly at the level of destruction of the atomic bombings in ’45. So cyber attacks have not really affected our lives (or moral, ethical and emotional compasses) in a major way.
Taking this into account, we are actually still waiting for phase 2. But, be aware, we know that vital infrastructure is being mapped by foreign entities. And there is potential for phase 2 sabotage, blackmail and Cold War-era political stand-offs.
The only way governments can limit the risks and potential destruction caused by a phase 2 incident is by acting now, by implementing laws and regulations to reduce the number of vulnerable devices.
If not, enter phase 5.